The reliability and security of an IP network is essential in a world where computer networks are a key element in intra-entity and inter-entity communications and transactions. The original Internet protocols were designed on the basis that system users would connect to the network for strictly legitimate purposes; as a consequence, no particular consideration was given to security issues at that time. In recent years, however, the incidence of malicious attacks on the communication networks has grown to alarming proportions.
Among various classes of malicious attacks recognized today, denial of service (DoS) attacks often lead to a complete disruption of the targeted service. DoS attacks can particularly harm e-commerce providers by denying them the ability to serve their clients, which leads to loss of sales and advertising revenue; the patrons may also seek competing alternatives (Amazon, E*Trade, and eBay are among recent victims). DoS attacks may take a variety of forms. Some involve use of specially constructed packets designed to take advantage of flaws in the software. Other types of DoS attacks are designed with a view to tie up resources within devices. Thus, an attacker may flood a victim network or server with a large volume of traffic, consuming critical system resources such as bandwidth, CPU capacity, etc. As an example, the widely spread transmission control protocol (TCP) layer software uses buffers to handle handshaking exchanges of messages used to establish a communication session. Each connection request consumes a portion of the finite memory space allotted to these buffers. A large number of connection requests received in a short period of time will consume the allotted memory space making the system unable to respond to legitimate requests and potentially causing the system to crash due to buffer overloads.
Distributed DoS (DDoS) attacks can be even more damaging, as they involve creating artificial network traffic from multiple sources simultaneously. The malicious traffic may be generated simultaneously from multiple points on the network from terminals that have been “hijacked” or subverted by the attacker. A notable form of DDoS attack is access link flooding that occurs when a malicious party directs spurious packet traffic over an access link connecting an edge network of an enterprise to the public Internet. This traffic flood, when directed at a victim edge network, can inundate the access link, usurping access link bandwidth from the VPN tunnels operating over that link. As such, the attack can cause partial or total denial of the VPN service and disrupt operations of any mission-critical application that relies on that service.
Transmission Control protocol (TCP), which operates at the OSI transport layer (L4), deals with fundamental level of reliability and data transfer, including flow control, error handling and problems involved with transmission and reception of packets. The transport packet includes the user-originated data and all information the network needs to transport this data from one the source to the destination; as such, the packet includes the addresses of the originator (IP source address) and of the intended receiver (IP destination address). In order either to hide the origin of an attack or to make an attack essentially effective, attackers generally disguise (spoof) the true origin of the malicious packets, by forging malicious packets with bogus source identities. This makes often attack mitigation techniques inefficient.
The IP source addresses are not the unique source information for the attackers. Both the real identity of the sender and the source of a given flow (herein referred to as “source identity”) are carried at application layer, in the payload of the IP packet. Typically, these Layer 5/7 protocols use the network identities (IP address or domain name) together with some locally unique prefixes as entity identifiers, for example aaln/2@rgw2.whatever.net or sip:johndoe@192.168.0.1. This information is legitimately used for routing purposes, NAT traversal, subscriber or request initiator identification, etc. However, attackers may also spoof both the IP address and the domain name of the application layer packets, termed here as “identity spoofing”, or “application layer attacks”.
The existent Layer 2/3 security mechanisms filtering malicious packets and frames are useless against Layer 5/7 identity spoofing that affects protocol-aware application only. The traditional ways to prevent or to detect identity spoofing include application-level endpoint authentication (AH in Megaco Protocol, IETF RFC 3015, or Digest Authentication in Session Initiation Protocol, IETF RFC 3261), use of IP anti-spoofing mechanisms close to the source such as DHCP snooping with ingress/egress filtering (IETF RFC 2827), and verification of the correspondence between Layer 3 and Layer 5/7 identification information.
However, the currently available solutions are deficient in that they use proprietary solutions and are usually threat-specific. Each of the above identified solutions has its own limitations in terms of applicability, performance or types of attacks it could mitigate or detect. Furthermore, false positives may be produced as a result of identity correspondence verification between L3 and L5/7 identities; the mere fact of discrepancy between L3 and L5/7 data may not always serve as a sign of malicious spoofing. This is because the mapping between the L3 identities may legitimately be different from L5/7 identities as a result of intermediate network entities interference, or user's mobility support.
A more generic approach is to validate the expected protocol behavior, which is generally referred to as “protocol anomaly detection.” With this approach, the compliance to a protocol specification is controlled, as well as the way the protocol is being used. Alerts are issued as soon as deviations from the expected behavior are observed. These capabilities are integrated into Check Point FW-1 NG, Juniper NetScreen-IDP and some other intrusion detection systems. However, detection of unexpected behavior implies monitoring of protocol messages exchange for individual flows and/or gathering statistical information. In the first case, the first bogus packet of each flow must reach the recipient anyways and thus the attacker achieves his/her goal. In the second case, statistics-based decisions do not identify individual malicious flows but simply detect abnormal behavior in a given time period, which may not always indicate a malicious attack.
It is also known to use application level authentication. For example, the Wi-Fi Protected Access (WPA) standard is designed with a view to improve the security features of the Wired Equivalence Protocol (WEP), the security mechanism specified by the 802.11 standard. Thus, WPA includes two improvements over WEP, namely data encryption using the Temporal Key Integrity Protocol (TKIP), and user authentication using the Extensible Authentication Protocol (EAP). However, operators are generally reluctant to use this type of authentication, or to use it for every protocol message type due to performance impact, and authentication keys management burden. Besides, the authentication mechanism is not an inherent part for some protocols such as MGCP.
There is a need to provide an application layer security mechanism that enables mitigation of a class of DoS attacks which target a given service provider's network infrastructure by using packets that misrepresent them at the application layer as being sourced from a legitimate host of the respective network.
There is also a need to provide an application layer security mechanism for mitigating DoS attacks, which mechanism does not rely on deployment of anti-spoofing solutions provided by other services providers.